Client-Side

Clickjacking Severity: Medium–High | CWE: CWE-1021 OWASP: A04:2021 – Insecure Design What Is Clickjacking? Clickjacking (UI redress attack) overlays an invisible <iframe> of the target site over a fake UI, tricking users into clicking target UI elements while believing they’re interacting with the attacker’s page. Victim sees: "Click here to win a prize!" button Reality: Transparent iframe of target.com/delete-account is positioned so the victim clicks the "Confirm Delete" button instead Impact escalation: clickjacking + CSRF → privileged actions; clickjacking + XSS → cookie theft; clickjacking drag-and-drop → text exfiltration. ...

CORS Misconfiguration Severity: High | CWE: CWE-942 OWASP: A01:2021 – Broken Access Control What Is CORS? Cross-Origin Resource Sharing (CORS) allows browsers to make cross-origin requests. A server opts in by returning Access-Control-Allow-Origin headers. The vulnerability occurs when the server reflects the attacker’s origin, allows null origin, or uses overly broad wildcards — combined with Access-Control-Allow-Credentials: true — letting an attacker’s site read authenticated responses from the victim’s browser. Normal same-origin: browser blocks cross-origin reads (by default) CORS misconfigured: server says "yes, attacker.com can read my responses" → attacker.com JS reads victim's authenticated API data Key rule: Access-Control-Allow-Origin: * with Access-Control-Allow-Credentials: true is spec-forbidden — browsers reject it. The dangerous case is when the server dynamically reflects a specific origin. ...

CSRF (Cross-Site Request Forgery) Severity: High | CWE: CWE-352 OWASP: A01:2021 – Broken Access Control What Is CSRF? CSRF forces an authenticated user’s browser to send a forged request to a target site. The browser automatically includes cookies (session tokens) with same-site requests, so the forged request carries valid authentication. The attacker doesn’t steal credentials — they hijack the session action. Victim is logged into bank.com (has session cookie) Attacker sends victim to: evil.com/csrf.html Page silently submits: POST bank.com/transfer?to=attacker&amount=5000 Browser auto-attaches: Cookie: session=VALID_SESSION Bank processes it: ✓ authenticated, executes transfer Conditions required: ...

DOM Clobbering Severity: Medium–High | CWE: CWE-79, CWE-20 OWASP: A03:2021 – Injection | A05:2021 – Security Misconfiguration What Is DOM Clobbering? DOM Clobbering exploits the browser behavior where HTML elements with id or name attributes become properties on the global window object (and document object). When JavaScript code references window.x or document.x without first defining it, an attacker who can inject HTML can control that reference by injecting an element with id="x". ...

postMessage Attacks Severity: High | CWE: CWE-346, CWE-79 OWASP: A03:2021 – Injection | A01:2021 – Broken Access Control What Are postMessage Attacks? window.postMessage() enables cross-origin communication between browser windows/iframes/workers. Security issues arise when the receiving message handler: Fails to validate the event.origin — accepts messages from any origin Passes event.data to dangerous sinks (eval, innerHTML, location, document.write) Uses event.source unsafely to send sensitive data back Attack surface: the handler is JavaScript code — exploitation leads to XSS, open redirect, CSRF, data theft, and iframe communication abuse. ...

Prototype Pollution (Client-Side) Severity: High | CWE: CWE-1321 OWASP: A03:2021 – Injection What Is Prototype Pollution? Every JavaScript object inherits from Object.prototype. If an attacker can inject arbitrary properties into Object.prototype, those properties are inherited by all objects in the application — leading to property injection, logic bypass, and XSS. // Normal: let obj = {}; obj.admin // undefined // After prototype pollution via: Object.prototype.admin = true; // Now ALL objects are "admin": let obj = {}; obj.admin // true ← inherited from prototype Attack surface: any function that recursively merges, clones, or sets properties from user-controlled paths like __proto__, constructor.prototype, or prototype. ...

WebSocket Security Testing Severity: High | CWE: CWE-345, CWE-20, CWE-79 OWASP: A03:2021 – Injection | A07:2021 – Identification and Authentication Failures What Are WebSocket Attacks? WebSockets provide full-duplex, persistent connections. Unlike HTTP, WebSocket frames lack built-in CSRF protection, don’t require Content-Type negotiation, and are often less scrutinized for injection. Attack surface: Cross-Site WebSocket Hijacking (CSWSH), injection via WebSocket messages, and authentication bypass. Upgrade handshake: GET /chat HTTP/1.1 Host: target.com Upgrade: websocket Connection: Upgrade Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ== Origin: https://target.com → After upgrade: bidirectional message frames → No per-message CSRF protection → No per-message authentication header requirement Discovery Checklist Find WebSocket endpoints: browser DevTools → Network → WS filter Check Upgrade handshake — does server validate Origin header? Test CSWSH: connect from attacker.com — does it use victim’s session cookie? Replay captured WebSocket messages with modified data (Burp WS Repeater) Test injection in WebSocket message payloads: XSS, SQLi, CMDi, SSTI Check authentication: is auth checked at handshake only or per-message? Test for IDOR in message IDs/room IDs Test for privilege escalation via message type manipulation Check if WebSocket messages are reflected (stored XSS via WS) Test token-based auth: JWT in WS URL or first message — test bypass Test reconnection — does reconnect revalidate auth? Test wss:// downgrade to ws:// (cleartext) Payload Library Attack 1 — Cross-Site WebSocket Hijacking (CSWSH) If the server doesn’t validate the Origin header during the WebSocket handshake, an attacker’s page can initiate a WebSocket connection that carries the victim’s session cookie. ...